pkg:Debian/python3.14

27 total CVEsCRITICAL1HIGH1MEDIUM6LOW1

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.8CVE-2026-7210The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection
    from 0
  • HIGH7.5CVE-2025-13836Excessive read buffering DoS in http.client
    from 0, < 3.14.2-1
  • MEDIUM6.1CVE-2026-6019BaseCookie.js_output() does not neutralize embedded characters
    from 0, < 3.14.5~rc1-1
  • MEDIUM5.5CVE-2025-13837Out-of-memory when loading Plist
    from 0, < 3.14.2-1
  • MEDIUM5.5CVE-2025-6075Quadratic complexity in os.path.expandvars() with user-controlled template
    from 0, < 3.14.2-1
  • MEDIUM5.3CVE-2025-12781base64.b64decode() always accepts "+/" characters, despite setting altchars
    from 0
  • MEDIUM5.3CVE-2025-12084Quadratic complexity in node ID cache clearing
    from 0, < 3.14.2-1
  • MEDIUM4.3CVE-2025-8291ZIP64 End of Central Directory (EOCD) Locator record offset not checked
    from 0, < 3.14.0-3
  • LOW3.3CVE-2026-4519webbrowser.open() allows leading dashes in URLs
    from 0, < 3.14.4-1
  • CVE-2026-8328FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
    from 0
  • CVE-2026-5713Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target
    from 0, < 3.14.5-1
  • CVE-2026-4786Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()
    from 0, < 3.14.5-1
  • CVE-2026-6100Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure
    from 0, < 3.14.5~rc1-1
  • CVE-2026-3446Base64 decoding stops at first padded quad by default
    from 0, < 3.14.4-1
  • CVE-2026-1502HTTP client proxy tunnel headers not validated for CR/LF
    from 0, < 3.14.5-1
  • CVE-2026-3479pkgutil.get_data() does not enforce documented restrictions
    from 0
  • CVE-2026-4224Stack overflow parsing XML with deeply nested DTD content models
    from 0, < 3.14.3-4
  • CVE-2026-3644Incomplete control character validation in http.cookies
    from 0, < 3.14.3-4
  • CVE-2025-13462tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling
    from 0, < 3.14.3-4
  • CVE-2026-2297SourcelessFileLoader does not use io.open_code()
    from 0, < 3.14.3-4
  • CVE-2026-1299email BytesGenerator header injection due to unquoted newlines
    from 0, < 3.14.3-1
  • CVE-2026-0865wsgiref.headers.Headers allows header newline injection
    from 0, < 3.14.3-1
  • CVE-2026-0672Header injection in http.cookies.Morsel
    from 0, < 3.14.3-1
  • CVE-2025-15367POP3 command injection in user-controlled commands
    from 0
  • CVE-2025-15366IMAP command injection in user-controlled commands
    from 0
  • CVE-2025-15282Header injection via newlines in data URL mediatype
    from 0, < 3.14.3-1
  • CVE-2025-11468Folding email comments of unfoldable characters doesn't preserve parenthesis
    from 0, < 3.14.3-1